...
|
The automatic login via the URL in the browser described below has been disabled for security reasons since Checkmk 2.2.0, because the credentials (user name and password) passed via URL are stored in the log files of the site-specific Apache (see Werk #14261). If you want to use automatic login via the URL despite this security risk, you must explicitly enable this with the global setting Setup > General > Global settings > User interface > Enable login via GET requests. Please refer to our Official Documentation for additional information. |
| Status |
|---|
| |
|---|
| colour | Yellow |
|---|
| title | LAST TESTED ON CHECKMK 2.1.0P1 |
|---|
|
| Panel |
|---|
| borderColor | black |
|---|
| bgColor | #f8f8f8 |
|---|
| title | Table of Contents |
|---|
|
|
Access Checkmk view within an Iframe
If your site Apache is secured by cookie-based authentication
| Code Block |
|---|
|
OMD[multisitemysite]:~$ omd config show MULTISITE_COOKIE_AUTH
on |
the The URL for auto login needs to be set like this:
| Code Block |
|---|
|
http://localhost/testmysite/check_mk/login.py?_origtarget=/testmysite/check_mk/view.py?view_name=allhosts&_username=cmkadmin&_password=cmk&_login=1 |
...
| Code Block |
|---|
|
http://cmkadmin:cmk@localhost/testmysite/check_mk/view.py?view_name=allhosts |
...
The same procedure for Nagios views presenting in an Iframe!
Content Security Policy
Our content security policy by default prevents you from embedding Checkmk into other websites, because being run in arbitrary iframes can be a security problem.
A website can constrain in both sides. Which sites are allowed to be included and which sites are allowed to include us.
To solve this you can add a configuration file, e.g., `etc/apache/conf.d/zzz_iframe.conf` (It must be loaded after etc/apache/conf.d/security.conf) with the following content:
| Code Block |
|---|
|
<IfModule mod_headers.c>
Header always edit Content-Security-Policy "frame-ancestors 'self' ;" "frame-ancestors 'self' YOUR-SERVER:YOUR-PORT ;"
Header always unset X-Frame-Options
</IfModule> |
What it does is to change the frame-ancestors directive and add a YOUR-SERVER:YOUR-PORT host. (This needs to be changed to the target system). It leaves the remaining CSP header as is.
Be advised: We do not recommend doing this due to the security concerns
Debug HTTPS iframes
Problem
| Note |
|---|
Since Werk #6774, it's not possible to use an HTTPS Iframe within Checkmk (this also affects nagvis). If you're considering doing this, please remember that this is a security issue and not supported by us. |
Determine the issue
You get the following broken page when opening an HTTPS Iframe within Checkmk.
Image Added
For a more verbose error message, open the developer tools of the current browser, select the Header Console, and refresh the page. This is usually done with the F12 key:
Image Added
The browser also produces an error about the missing Content-Secuirty-Policy (CSP). Please keep in mind that many Software/Pages do not want to be integrated as an Iframe due to security settings.
Related articles
| Filter by label (Content by label) |
|---|
| showLabels | false |
|---|
| max | 5 |
|---|
| spaces | CON |
|---|
| showSpace | false |
|---|
| sort | modified |
|---|
| reverse | true |
|---|
| type | page |
|---|
| cql | label in ( "view" , "gui" , "howto" ) and type = "page" and space = "CONKB" |
|---|
| labels | gui view |
|---|
|
...